Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The most interesting thing about this to me is that on iOS a long press on the image claimed it's going to github.com, while the preview itself was for mastadon. This indicates that it's parsing the QR code twice and getting different results? I could see this being used to mislead some people, though I'm not sire how many people look at the long press dropdown URL.


Tangential but once in a blue moon I come by some situation where I’m on my phone and I’m looking at something that has a QR code showing on the screen of the phone itself.

And so I do something silly like airdropping a screenshot of it to my laptop so I can scan it with my phone camera, or I get someone else (friends, family) to use their phone to scan the code from my phone screen with the camera app on their phone.

And all this time I was annoyed why I couldn’t just get the link directly from the image on my phone without involving another device, and without having to install yet another third-party app.

And today I learned that all I had to do was long press the QR code in the screenshot in my camera roll and it would actually parse it and make it so I could visit the link!

I think I must have tried long pressing QR code in an image in the camera roll years ago because it always seemed like something that would make sense to support via long press. Maybe they introduced this feature after I had tried to long press a QR code in an image in the past. Or maybe it was always possible and I didn’t actually ever try to long press it. Or maybe I long pressed the wrong part of the image that first one or two times I ever tried to do it in the past. Either way, very happy to have learned that this is actually possible.


Long pressing still doesn't work for me. Perhaps because I turned off some features related to image intelligence.


On iOS I believe the option is in Settings > General > Language & Region > Live Text. This was introduced in iOS 15.


Yes, I usually share it with Google App, and Lens tab.


I can totally see two parts of the OS both using their own QR parsing code - SmartText using one, and the imaging system another. Apparently each one has their own slightly different error correction implementation.

I bet it'd be possible to create a standard QR Code with a deliberate error that does the same thing. You'd just have to figure out how they're correcting the error differently.

Seems like you discovered a bug-bounty bug just waiting for someone to claim.


QRCode should also show the target url in text, so the user knows where it is taking - something like explicit consent.


Google lens and other apps do this.

I've seen apps that read QR codes that don't, however. Usually they're single-purpose and just don't recognize unexpected data (scan the magic code to get a character in a game, etc) but if the expected data is formatted as a URL, maybe it tries to fetch resources there (character information and image).

I can also see someone making a browser extension that allows scanning a QR code to immediately open it so you don't have to leave your current app.


Yep, like how browsers show users urls in their location bars.


When I long-press on iOS, it shows me the mastadon link as the main "Open" link, as well as "Open in Github" (app link) in the context menu.


This is likely the typical case of related code calling the same function or getter method twice in a context where it is imperative for both calls to return the same result.

It is reminds me of code like

   if someCondition(getFoo()) 
   then doSomethingWith(getFoo())
or even just

    doSomethingWith(getFoo())
    doAnotherThingWith(getFoo())
which is always a code smell, as opposed to

    foo := getFoo()
    if someCondition(foo) 
    then doSomethingWith(foo)
and

    foo := getFoo()
    doSomethingWith(foo)
    doAnotherThingWith(foo)


Usually it's called a TOCTOU bug/vuln

https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use


I often see it in multiple-time-of-use scenarios as well that need to be consistent, i.e. no check vs. use involved.


Shouldn't the compiler optimize this into a single call if they're called so close together?


now THIS sounds like an exploit




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: